Access to Azure Active Directory Subscription - My Role: Unknown

Question

In portal.azure.com I have two subscriptions.

One of them is the subscription named "Access to Azure Active Directory". As far as I can understand, this subscription was created automatically via the Office 365 subscription I have.

My profile is a Global Administrator. However, I cannot access "Access to Azure Active Directory" subscription as a Global Administrator or with Global Administrator rights. More specifically, when I view "My permissions" in "Access to Azure Active Directory" subscription, it says "You are an administrator on the subscription".

But, when for example I try to view "Activity log" or "Access control (IAM)" in "Access to Azure Active Directory" subscription, it says "DisallowedOperation: The current subscription type is not permitted to perform operations on any provider namespace. Please use a different subscription."

So, how is it possible to be an administrator on "Access to Azure Active Directory" subscription and also not able to do any action as an administrator?

Any help would be much appreciated.

Regards,
Nick

Answer 1

Came across this question and this Blog post which had the answer about this same Subscription name.
It's a legacy Subscription. Detail below and in the Blog post.

https://www.jasonfritts.me/2020/04/07/what-is-the-access-to-azure-active-directory-subscription-for/#:~:text=The%20%E2%80%9CAccess%20to%20Azure%20Active%20Directory%E2%80%9D%20subscriptions%20are%20a%20legacy,portal.azure.com).

History of the Access to Azure Active Directory subscription

The “Access to Azure Active Directory” subscriptions are a legacy subscription type that are no longer used. They were used prior to the current Azure Portal (https://portal.azure.com).

At that time the classic Azure portal (https://manage.windowsazure.com) that was used to manage Azure Active Directory and other Azure resources only allowed access if the user had a Azure subscription associated to their user account. It utilized the classic Azure roles such as “Subscription Admin” \ “Billing Admin” \ and “Co-Administrator” only so you had to have one of these roles in order to login. It did not take into account Azure AD roles like Global Administrator etc.

Answer 2

@Nick , The error "Disallowed Operation" is usually thrown by an Azure Service when someone tries to perform any task on it without any proper permission.

Make sure you are either an owner on the subscription or you are the service administrator or co-admin in Azure Subscription to be able to make changes or play around with the Azure Services. if you just want to check any specific Azure Resource, make sure you are added on that Azure Resource with proper permission under IAM section of that resource.

A Global Admin is only for Azure AD and not for the Azure Services.

As for me I am a Global Admin of my tenant but also an owner on the subscription.

Do check the permissions on the resource or on the subscription level and make sure you have proper permissions. Do share a screenshot for us to understand better in case there are more queries around this.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

Answer 3

@soumi-MSFT , It seems that I cannot access the IAM for that resource, although I am an admin for that resource. It seems like a deadlock.